In a computer network environment a computer connected to the network must protect itself against attacks from remote entities (e.g., computers) connected to the same network, e.g., Local Area Network (LAN) as well as an Internet network. An attacker from a remote computer may initiate an attack on a target computer by attacking a user password. Although passwords based on dictionaries are the most common authentication method for a user to access a computer or login to a remote computer, they are inherently insecure. Such dictionary based passwords are insecure because they are usually generated by humans from a relatively small domain and are easy to guess at. Computer generated passwords may be slightly more secure, but are not optimal because they are not user friendly and may be difficult to remember. An attacker may attack passwords by eavesdropping on a network channel and learning confidential information (e.g., username/password) from the output of the computer system. In addition to dictionary attacks, a networked computer also may be vulnerable to Denial of Service (DoS) attacks, username/password authentication, and HTTP authentication attacks, which are described below.
A networked computer may be vulnerable to online dictionary username/password attacks. In online dictionary attacks, an attacker makes an initial guess at a username/password pair and tries to systematically and repeatedly login using revised versions of username/password pairs based on the initial guess. Dictionary attacks are usually carried out in a specially crafted sequence of username/password pair retries. Thus, if an attacker continuously sends username/password authentication requests to a target computer, the attacker eventually may identify which requests were validated by the target computer and break into the user accounts.
A networked computer also may be vulnerable to another form of attack referred to as a Denial of Service (DoS) attack. In a DoS attack, the attacker attempts to deliberately lockout a user account by repeatedly trying to login into the user account using random passwords. In one form, a DoS attack may be in the form of an SYN message TCP flooding attack. A SYN (synchronize) message is a type of packet used by the Transmission Control Protocol (TCP) when initiating a new connection to synchronize the sequence numbers on two connecting computers. This type of SYN TCP attack occurs when one system (called the client) attempts to establish a TCP connection to another system providing a service (the server), the client and server exchange a set sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK (SYN-acknowledge) message to the client. The client then finishes establishing the connection by responding with an ACK (acknowledge) message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is typically referred to as a half-open connection or partially open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.
Creating half-open connections may be accomplished with Internet Protocol (IP) spoofing. The attacking system sends SYN messages to the victim server system. Although these SYN messages appear to be legitimate, in fact they reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system. The half-open connections data structure on the victim server system will eventually fill and the system will be unable to accept any new incoming connections until the table is emptied. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can terminate the pending connections. Typically, the victim of such an attack will have difficulty in accepting any new incoming network connection. In such cases, the attack neither affects existing incoming connections nor the ability to originate outgoing network connections. However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative. An attacker may be able to impose a DoS attack on a target computer if the attacker knows any one of the configured usernames in the target computer being attacked. Such DoS attacks may not necessarily be confined to the target computer. Furthermore, any current legitimate sessions established prior to or during a DoS attack may be disconnected as a result.
A conventional countermeasure to these popular dictionary attacks is to lockout a user account. Locking a user account, however, is costly, as it imposes a DoS attack on the user. For example, entities that conduct a majority of their business online, such as online auctions and service related organizations, among others, are likely to experience real financial losses if user accounts are locked out due to dictionary or DoS attacks. Thus, there is a need to secure password based authentication systems against online dictionary, DoS, and other such password attacks.